feat: restrict smtp sender address (#3637)

* fix: check if sender address is custom domain * fix: check if sender address is custom domain * fix: check if sender address is custom domain Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 04:57:33 +00:00 · 2022-05-16 16:08:47 +02:00
parent 40de8d5b3b
commit 5c0f527a49
39 changed files with 510 additions and 153 deletions
--- a/internal/api/grpc/admin/domain_policy.go
+++ b/internal/api/grpc/admin/domain_policy.go
@@ -27,7 +27,7 @@ func (s *Server) GetCustomDomainPolicy(ctx context.Context, req *admin_pb.GetCus
 }

 func (s *Server) AddCustomDomainPolicy(ctx context.Context, req *admin_pb.AddCustomDomainPolicyRequest) (*admin_pb.AddCustomDomainPolicyResponse, error) {
-	policy, err := s.command.AddOrgDomainPolicy(ctx, req.OrgId, domainPolicyToDomain(req.UserLoginMustBeDomain, req.ValidateOrgDomains))
+	policy, err := s.command.AddOrgDomainPolicy(ctx, req.OrgId, domainPolicyToDomain(req.UserLoginMustBeDomain, req.ValidateOrgDomains, req.SmtpSenderAddressMatchesInstanceDomain))
 	if err != nil {
 		return nil, err
 	}
@@ -76,10 +76,11 @@ func (s *Server) ResetCustomDomainPolicyTo(ctx context.Context, req *admin_pb.Re
 	return nil, nil //TOOD: return data
 }

-func domainPolicyToDomain(userLoginMustBeDomain, validateOrgDomains bool) *domain.DomainPolicy {
+func domainPolicyToDomain(userLoginMustBeDomain, validateOrgDomains, smtpSenderAddressMatchesInstanceDomain bool) *domain.DomainPolicy {
 	return &domain.DomainPolicy{
-		UserLoginMustBeDomain: userLoginMustBeDomain,
-		ValidateOrgDomains:    validateOrgDomains,
+		UserLoginMustBeDomain:                  userLoginMustBeDomain,
+		ValidateOrgDomains:                     validateOrgDomains,
+		SMTPSenderAddressMatchesInstanceDomain: smtpSenderAddressMatchesInstanceDomain,
 	}
 }

@@ -88,8 +89,9 @@ func updateDomainPolicyToDomain(req *admin_pb.UpdateDomainPolicyRequest) *domain
 		// ObjectRoot: models.ObjectRoot{
 		// 	// AggreagateID: //TODO: there should only be ONE default
 		// },
-		UserLoginMustBeDomain: req.UserLoginMustBeDomain,
-		ValidateOrgDomains:    req.ValidateOrgDomains,
+		UserLoginMustBeDomain:                  req.UserLoginMustBeDomain,
+		ValidateOrgDomains:                     req.ValidateOrgDomains,
+		SMTPSenderAddressMatchesInstanceDomain: req.SmtpSenderAddressMatchesInstanceDomain,
 	}
 }

@@ -98,13 +100,14 @@ func updateCustomDomainPolicyToDomain(req *admin_pb.UpdateCustomDomainPolicyRequ
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: req.OrgId,
 		},
-		UserLoginMustBeDomain: req.UserLoginMustBeDomain,
-		ValidateOrgDomains:    req.ValidateOrgDomains,
+		UserLoginMustBeDomain:                  req.UserLoginMustBeDomain,
+		ValidateOrgDomains:                     req.ValidateOrgDomains,
+		SMTPSenderAddressMatchesInstanceDomain: req.SmtpSenderAddressMatchesInstanceDomain,
 	}
 }

 func (s *Server) AddCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.AddCustomOrgIAMPolicyRequest) (*admin_pb.AddCustomOrgIAMPolicyResponse, error) {
-	policy, err := s.command.AddOrgDomainPolicy(ctx, req.OrgId, domainPolicyToDomain(req.UserLoginMustBeDomain, true))
+	policy, err := s.command.AddOrgDomainPolicy(ctx, req.OrgId, domainPolicyToDomain(req.UserLoginMustBeDomain, true, true))
 	if err != nil {
 		return nil, err
 	}
@@ -163,8 +166,9 @@ func (s *Server) GetCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.GetCus

 func updateOrgIAMPolicyToDomain(req *admin_pb.UpdateOrgIAMPolicyRequest) *domain.DomainPolicy {
 	return &domain.DomainPolicy{
-		UserLoginMustBeDomain: req.UserLoginMustBeDomain,
-		ValidateOrgDomains:    true,
+		UserLoginMustBeDomain:                  req.UserLoginMustBeDomain,
+		ValidateOrgDomains:                     true,
+		SMTPSenderAddressMatchesInstanceDomain: true,
 	}
 }

@@ -173,7 +177,8 @@ func updateCustomOrgIAMPolicyToDomain(req *admin_pb.UpdateCustomOrgIAMPolicyRequ
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: req.OrgId,
 		},
-		UserLoginMustBeDomain: req.UserLoginMustBeDomain,
-		ValidateOrgDomains:    true,
+		UserLoginMustBeDomain:                  req.UserLoginMustBeDomain,
+		ValidateOrgDomains:                     true,
+		SMTPSenderAddressMatchesInstanceDomain: true,
 	}
 }
--- a/internal/api/grpc/policy/domain_policy.go
+++ b/internal/api/grpc/policy/domain_policy.go
@@ -8,9 +8,10 @@ import (

 func DomainPolicyToPb(policy *query.DomainPolicy) *policy_pb.DomainPolicy {
 	return &policy_pb.DomainPolicy{
-		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-		ValidateOrgDomains:    policy.ValidateOrgDomains,
-		IsDefault:             policy.IsDefault,
+		UserLoginMustBeDomain:                  policy.UserLoginMustBeDomain,
+		ValidateOrgDomains:                     policy.ValidateOrgDomains,
+		SmtpSenderAddressMatchesInstanceDomain: policy.SMTPSenderAddressMatchesInstanceDomain,
+		IsDefault:                              policy.IsDefault,
 		Details: object.ToViewDetailsPb(
 			policy.Sequence,
 			policy.CreationDate,